Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 8 Oct 2015 14:29:30 +0200
From: Matthijs Kooijman <matthijs@...in.nl>
To: oss-security@...ts.openwall.com
Cc: alejandro@...ian.org, kevin@...nke.ca
Subject: CVE request - perl library UI::Dialog 1.09 - shell escaping
 vulnerability

Hi folks,

can you please assign a CVE for the UI::Dialog perl library? I
(re)discovered a flaw that allows arbitrary command execution when the
library is given untrusted strings to show in a menu prompt.

The flaw was initially reported in 2008 at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496448 but it seems
this never reached upstream. I recently reported the bug upstream
https://rt.cpan.org/Public/Bug/Display.html?id=107364, see that report
for some additional details.

Upstream has indicated to be working on a fix (see upstream bug), but no
patches are available yet.

Impact seems limited, I'm not aware of any well-known programs that use
this library and are vulnerable (only two Debian packages depend on it,
both use a UI::Dialog backend that is unaffected).

Thanks,

Matthijs

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ